Security and Smart Contract Audits

Summary

At Reservoir we take smart contract security very seriously to ensure the protection of our developers and their users. Below is a breakdown of the smart contracts used within the Reservoir ecosystem and their security/audit status.

Aggregation

Reservoir aggregates different NFT exchange protocols, allowing you to access them all through a single, simplified interface. All supported protocols have undergone extensive audits:

• Seaport (used by OpenSea)
• 0xV4 (used by Coinbase)
• Blur
• LooksRare
• X2Y2

Full list of aggregated marketplaces can be found here.

Creating Orders

When you create an order through a Reservoir-powered marketplace, the listing or bid happens through one of the above protocols. By default, Seaport is used, but each team who deploys a marketplace chooses which to use.

To list, you must approve the exchange contract to transfer your tokens. This is exactly the same as if you listed directly on another marketplace. In fact, if you have already approved a particular exchange contract through OpenSea, Coinbase or LooksRare, you don’t need to do it again on a Reservoir-powered marketplace. You’re approving the underlying exchange, not Reservoir.

Purchasing

Single item sales are executed via the order's native exchange contract. Multi-item sales are executed through Reservoir’s Router contract, enabling users to purchase items from different marketplaces in one transaction.

Reservoir's Router contract has had the following audits:

• V3 internally audited by multiple teams, including Art Blocks and Coinbase
• V4 & V5 are minor edits to V3, based on audit feedback
• V6 audited by Consensys Dilligence (report and response)

Note: V6 is currently live on Mainnet and being used by our hosted APIs.

This contract does not hold any user funds or have permission to spend user funds. All actions must be directly approved by the user, on a per transaction basis. This gives it a very different security profile to the exchange contracts above, or DeFi protocols.

Deployed Contracts

• Mainnet: 0xc2c862322e9c97d6244a3506655da95f05246fd8
• Goerli: 0xc2c862322e9c97d6244a3506655da95f05246fd8
• Polygon: 0xc2c862322e9c97d6244a3506655da95f05246fd8
• Arbitrum: 0xc2c862322e9c97d6244a3506655da95f05246fd8
• Optimism: 0xc2c862322e9c97d6244a3506655da95f05246fd8

Source Code

• Router Contract
• Router API
• ReservoirKit
• Marketplace UI